What is CVE-2023-35152?

CVE-2023-35152 is a vulnerability in XWiki Platform that allows any logged in user to add dangerous content in their first name field and execute it with programming rights, leading to rights escalation.

How severe is CVE-2023-35152?

CVE-2023-35152 has a severity score of 8.8 (critical).

Which versions of XWiki Platform are affected by CVE-2023-35152?

Versions 12.9-rc-1 to 14.4.8, 14.10.6, 15.0, and 15.0-rc1 of XWiki Platform are affected by CVE-2023-35152.

How can I fix CVE-2023-35152?

To fix CVE-2023-35152, you should upgrade to XWiki Platform versions 14.4.8, 14.10.6, 15.0, or 15.0-rc1.

Are there any references for CVE-2023-35152?

Yes, you can find more information about CVE-2023-35152 at the following references: [Link 1](https://github.com/xwiki/xwiki-platform/commit/0993a7ab3c102f9ac37ffe361a83a3dc302c0e45#diff-0b51114cb27f7a5c599cf40c59d658eae6ddc5c0836532c3b35e163f40a4854fR39), [Link 2](https://github.com/xwiki/xwiki-platform/commit/6ce2d04a5779e07f6d3ed3f37d4761049b4fc3ac#diff-ef7f8b911bb8e584fda22aac5876a329add35ca0d1d32e0fdb62a439b78cfa49), [Link 3](https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rf8j-q39g-7xfm).

Vulnerability/
CVE-2023-35152

critical

CWE

94 95

20/6/2023

23/6/2023

2/8/2024

CVE-2023-35152: XWiki Platform vulnerable to privilege escalation (PR) from account through like LiveTableResults

First published: Tue Jun 20 2023(Updated: )

### Impact Any logged in user can add dangerous content in their first name field and see it executed with programming rights. Leading to rights escalation. ### Patches The vulnerability has been fixed on XWiki 14.4.8, 14.10.6, and 15.1. ### Workarounds The vulnerability can be fixed by applying this [patch](https://github.com/xwiki/xwiki-platform/commit/6ce2d04a5779e07f6d3ed3f37d4761049b4fc3ac#diff-ef7f8b911bb8e584fda22aac5876a329add35ca0d1d32e0fdb62a439b78cfa49). On versions before 13.4-rc-1, the fix needs to be applied on [XWiki.Like.Code.LiveTableResultPage](https://github.com/xwiki/xwiki-platform/commit/0993a7ab3c102f9ac37ffe361a83a3dc302c0e45#diff-0b51114cb27f7a5c599cf40c59d658eae6ddc5c0836532c3b35e163f40a4854fR39). ### References - The reported issue https://jira.xwiki.org/browse/XWIKI-20611, fixed by https://jira.xwiki.org/browse/XWIKI-19900 - The patch https://github.com/xwiki/xwiki-platform/commit/6ce2d04a5779e07f6d3ed3f37d4761049b4fc3ac#diff-ef7f8b911bb8e584fda22aac5876a329add35ca0d1d32e0fdb62a439b78cfa49 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki.org](https://jira.xwiki.org/) * Email us at [Security Mailing List](mailto:security@xwiki.org)

Credit: security-advisories@github.com security-advisories@github.com

Affected Software	Affected Version	How to fix
Xwiki Xwiki	>=12.9<14.4.8
Xwiki Xwiki	>=14.10<14.10.6
Xwiki Xwiki	=12.9-rc1
Xwiki Xwiki	=15.0
Xwiki Xwiki	=15.0-rc1
maven/org.xwiki.platform:xwiki-platform-like-ui	>=15.0-rc-1<15.1	15.1
maven/org.xwiki.platform:xwiki-platform-like-ui	>=14.5<14.10.6	14.10.6
maven/org.xwiki.platform:xwiki-platform-like-ui	>=12.9-rc-1<14.4.8	14.4.8

Remedy

https://github.com/xwiki/xwiki-platform/commit/0993a7ab3c102f9ac37ffe361a83a3dc302c0e45#diff-0b51114cb27f7a5c599cf40c59d658eae6ddc5c0836532c3b35e163f40a4854fR39

Remedy

https://github.com/xwiki/xwiki-platform/commit/6ce2d04a5779e07f6d3ed3f37d4761049b4fc3ac#diff-ef7f8b911bb8e584fda22aac5876a329add35ca0d1d32e0fdb62a439b78cfa49

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2023-35152?
CVE-2023-35152 is a vulnerability in XWiki Platform that allows any logged in user to add dangerous content in their first name field and execute it with programming rights, leading to rights escalation.
How severe is CVE-2023-35152?
CVE-2023-35152 has a severity score of 8.8 (critical).
Which versions of XWiki Platform are affected by CVE-2023-35152?
Versions 12.9-rc-1 to 14.4.8, 14.10.6, 15.0, and 15.0-rc1 of XWiki Platform are affected by CVE-2023-35152.
How can I fix CVE-2023-35152?
To fix CVE-2023-35152, you should upgrade to XWiki Platform versions 14.4.8, 14.10.6, 15.0, or 15.0-rc1.
Are there any references for CVE-2023-35152?
Yes, you can find more information about CVE-2023-35152 at the following references: [Link 1](https://github.com/xwiki/xwiki-platform/commit/0993a7ab3c102f9ac37ffe361a83a3dc302c0e45#diff-0b51114cb27f7a5c599cf40c59d658eae6ddc5c0836532c3b35e163f40a4854fR39), [Link 2](https://github.com/xwiki/xwiki-platform/commit/6ce2d04a5779e07f6d3ed3f37d4761049b4fc3ac#diff-ef7f8b911bb8e584fda22aac5876a329add35ca0d1d32e0fdb62a439b78cfa49), [Link 3](https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rf8j-q39g-7xfm).

collector/nvd-index
collector/github-advisory-latest
alias/GHSA-rf8j-q39g-7xfm
alias/CVE-2023-35152
collector/nvd-cve
collector/github-advisory
agent/author
agent/type
agent/remedy
agent/softwarecombine
agent/first-publish-date
collector/mitre-cve
source/MITRE
agent/weakness
agent/references
agent/severity
agent/last-modified-date
agent/title
agent/tags
agent/description
agent/event
vendor/xwiki
canonical/xwiki xwiki
version/xwiki xwiki/12.9
version/xwiki xwiki/14.10
version/xwiki xwiki/12.9-rc1
version/xwiki xwiki/15.0
version/xwiki xwiki/15.0-rc1
package-manager/maven

CVE-2023-35152: XWiki Platform vulnerable to privilege escalation (PR) from account through like LiveTableResults

Remedy

Remedy

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2023-35152?

How severe is CVE-2023-35152?

Which versions of XWiki Platform are affected by CVE-2023-35152?

How can I fix CVE-2023-35152?

Are there any references for CVE-2023-35152?

Company

Resources

Contact